NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,567
    Running very smoothly here, but I should add that I have only enabled the options that are not preceded by an exclamation mark (with one or two exceptions), just to be on the safe side.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,897
    Location:
    Among the gum trees
  3. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    No FP's here that I can speak of and I have everything checked. Running as expected. Win 10 Enterprise LTSB.
     
  4. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Same here on two systems. One Win 8.1 Ent and the other Win 10 Pro SCU (1803).
     
    Last edited: Apr 18, 2018
  5. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    842
    Location:
    Lunar module
    The same on Windows 10 x64.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,575
    Location:
    U.S.A. (South)
    Thanks for the report. I only worked Windows 8.1 today when it became apparent.

    Since you confirm it on Windows 10 now also, it's platform wide. Not everyone seems is experiencing it or they would said so.
     
  7. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    842
    Location:
    Lunar module
    I think this is true for everyone, but few people will want to write about it.
     
  8. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    How many people will deliberately termine "OSArmorDevSvc.exe" manually ? ;)
    I tried myself to pause and then resume the protection by right-clicking the tray icon and everything went fine :)
     
  9. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    172
    Location:
    Wigan
    Every OSArmor Advanced setting is enabled. What with being fully patched with XP Embedded M$ updates and with OSArmor, Outpost Firewall Pro 9.3, Panda Dome 18.05 and MBAE 1.12.1.67 installed, am I using the most secure XP systems on (or off) the planet?

    After an initial flurry of dealing with exclusions of potential blocks, my Windows 7 and XP systems soon settled down and I am now undisturbed by more potential blocks.
     
    Last edited: Apr 18, 2018
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,575
    Location:
    U.S.A. (South)
    Likely just a self-protection feature guarding driver termination (which is the heart the matter) that will be juiced up to cover it from such occurrence. The driver goes down the whole works stop.

    IIRC there is/was some Basic self-protections already implemented. This one caught me off guard because the other day I DID NOT just simply try to terminate the service, but yesterday I did so deliberately in an effort to see if it was possible to restart on user end of things.
     
  11. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    172
    Location:
    Wigan
    I am trying to setup OSArmor to allow a 16-bit process to run in Windows XP.

    The exclusion rule created by OSArmor is: -
    [%PROCESS%: C:\WINDOWS\system32\ntvdm.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\system32\ntvdm.exe" -f -i5 -ws -a C:\WINDOWS\system32\krnl386.exe] [%PARENTPROCESS%: C:\WINDOWS\explorer.exe]

    However wowexec.exe and newsoed.exe (the actual 16-bit application) should also run but are not permitted to do so by the above rule and I cannot see how to modify it to permit them to execute. Does anyone have any idea to make it work?
     
  12. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,083
    Location:
    Italy
    It is not possible to exclude a 16-bit process on XP.
     
  13. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    172
    Location:
    Wigan
    Thank you for that information. I will cease banging my head against this wall with immediate effect.
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,124
    Location:
    Italy
    loungehake

    Unfortunately as Sampei said, it is not possible to exclude specific 16-bit .exe files.

    You need to completely disable the option "Block 16-bit processes".

    EASTER

    Can you check the Windows Event Viewer to see if there is something about OSArmorDevSvc?

    We are adding self-defense against process termination so only Task Manager can terminate OSArmorDevSvc.exe and OSArmorDevUI.exe

    OSArmorDevUI.exe (the GUI) can't restart the service due to limited privileges (it is the service that installs the driver).

    If OSArmorDevSvc.exe is stopped or terminated, it needs to be restarted manually via Services Manager (services.msc).

    Normally an user should never stop OSArmorDevSvc.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,575
    Location:
    U.S.A. (South)
    @novirusthanks - My Event Logs are set to Clear on a schedule (all of them) but I will review them to determine if the event was logged or not then submit for you. Otherwise I might not be able to retrieve that day's issue which caused it. I also will review FileChangeAlarm Logs and dig around in those for you. They do not schedule deletion/clearing, I do those manually.

    Kudos and seems a sound idea (adding self-defense) to limit only Windows Task Manager permissions to terminate. :thumb:

    OSA is rolling and singing happy tunes on this end with absolutely no FP's too!
     
    Last edited: Apr 19, 2018
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,683
    Anyone running OSArmor along side AppGuard?
    Wonder if the two would not only get along but if they would compliment each other without too much overlap.
     
  17. guest

    guest Guest

    I do, OSA with almost everything ticked; the combo works well, and OSA allows me to lighten my AG policy (limited to 128 lines).
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Appguard and OSArmor happily singing a duet here
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,124
    Location:
    Italy
    Uploaded a new video:

    Fattura.xls and Documento.xls Exploit Payload Blocked by OSArmor


    EASTER


    Great, keep me updated if you find anything :)
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,575
    Location:
    U.S.A. (South)
    @novirusthanks - Event Logs as suspected are scrubbed. I never keep those very long coz frankly things run just peachy an am a stickler to not letting those Windows logs pile up. But if anything pops out which might be useful from FileChangeAlarm logs count on it.

    Thanks for such an awesome n masterful piece of work. OSA really rocks! :)

    For that matter so does ERP 4. Running both on Win 8.1 & Win 10 systems with outstanding results!
     
  21. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Latest build running great for days! I have nearly everything "checked".
     
    Last edited: Apr 20, 2018
  22. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Runs well here...
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,083
    Location:
    Italy
    Date/Time: 20/04/2018 20.06.24
    Process: [3636]C:\WINDOWS\Temp\is-HUJV3.tmp\mbae-setup-1.12.1.68.tmp
    Process MD5 Hash: A2C4D52C66B4B399FACADB8CC8386745
    Parent: [3616]C:\WINDOWS\Temp\mbae-setup-1.12.1.68.exe
    Rule: BlockUnsignedProcessOnWindowsTemp
    Rule Name: Block execution of unsigned processes on Windows Temp
    Command Line: "C:\WINDOWS\TEMP\is-HUJV3.tmp\mbae-setup-1.12.1.68.tmp" /SL5="$302EA,1641266,56832,C:\WINDOWS\TEMP\mbae-setup-1.12.1.68.exe" /VERYSILENT /SUPRESSMSGBOXES
    Signer:
    Parent Signer: Malwarebytes Corporation
    User/Domain: SYSTEM/NT AUTHORITY
    System File: False
    Parent System File: False
    Integrity Level: Unknown
    Parent Integrity Level: Unknown

    0.JPG

    0a.JPG

    The MBAE uninstaller is unsigned.
    The OSA uninstaller is signed.:thumb:;)
     
    Last edited: Apr 20, 2018
  24. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,597
    Location:
    USA
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,124
    Location:
    Italy
    Here is a new v1.4 (pre-release) test60:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test60.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved Block suspicious processes
    + Improved Block suspicious command-line strings
    + Improved Block processes located in suspicious folders
    + Added self-protection against process termination via kernel-mode driver
    + Kernel-mode drivers for self-protection are co-signed by Microsoft
    + Only Task Manager can terminate OSArmorDevSvc.exe and OSArmorDevUI.exe
    + Save and restore window size of Configurator GUI
    + Instead of playing the beep sound it now plays a WAV sound when something is blocked
    + Events are now saved as topmost on the log file
    + Minor fixes and optimizations
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive or issue please let me know.

    Rainwalker

    What do you mean exactly?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.